To enable ZooKeeper
authentication on Bookies or Clients, there are two necessary steps:
JAAS
login file and set the appropriate system property to point to it as described in GSSAPI (Kerberos).zkEnableSecurity
in each bookie to true
.The metadata stored in ZooKeeper
is such that only certain clients will be able to modify and read the corresponding znodes. The rationale behind this decision is that the data stored in ZooKeeper is not sensitive, but inappropriate manipulation of znodes can cause cluster disruption.
If you are running a version of BookKeeper that does not support security or simply with security disabled, and you want to make the cluster secure, then you need to execute the following steps to enable ZooKeeper authentication with minimal disruption to your operations.
JAAS
login file, which enables bookie or clients to authenticate. At the end of the rolling restart, bookies (or clients) are able to manipulate znodes with strict ACLs, but they will not create znodes with those ACLs.zkEnableSecurity
to true, which enables the use of secure ACLs when creating znodes.It is also possible to turn off authentication in a secured cluster. To do it, follow these steps:
JAAS
login file, which enable bookies to authenticate, but setting zkEnableSecurity
to false
. At the end of rolling restart, bookies stop creating znodes with secure ACLs, but are still able to authenticate and manipulate all znodes.zkLedgersRootPath
, which defaults to /ledgers
.JAAS
login file.It is also necessary to enable authentication on the ZooKeeper
ensemble. To do it, we need to perform a rolling restart of the ensemble and set a few properties. Please refer to the ZooKeeper documentation for more details.